Ubuntu
thunderbird package

2.0.0.23 is available

Bug #416646 reported by Jamie Strandboge
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Fix Released
Undecided
Alexander Sack

Bug Description

Binary package hint: thunderbird

This is simply for our USN database since there are no applicable CVEs for 2.0.0.23.

CVE References

Jamie Strandboge (jdstrand)
Changed in thunderbird (Ubuntu):
assignee: nobody → Alexander Sack (asac)
status: New → Fix Committed
security vulnerability: no → yes
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-817-1

Changed in thunderbird (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Fumihito YOSHIDA (hito) wrote :

hi Jamie,

USN-817-1 is really so?
| Several flaws were discovered in the rendering engine of Thunderbird.
| If Javascript were enabled, an attacker could exploit these flaws to crash Thunderbird.

This description seems 2.0.22's, but USN-817-1 points 2.0.23's.
(Thunderbird 2.0.22 is USN-782-1)

so our fix are CVE-2009-2408/MFSA2009-42.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

maybe, valid details are below.: (from mitre.org)
| Thunderbird did not properly handle a NULL character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers
| to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate
| Certification Authority.

Please check.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thunderbird uses the system NSS library and is not affected by the NUL character vulnerability (it was fixed in USN-810-1). Mozilla.org also fixed rendering crashers in 2.0.0.23 without issuing MFSA for them, so I wrote a general advisory for them.

Revision history for this message
Fumihito YOSHIDA (hito) wrote :

Ah, roger. I confirmed from 2.0.0.22/2.0.0.23 source diff. Thanks.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.